Because of new anti-fraud legislation around the globe and reemphasis on FCPA enforcement, organizations have beefed up their compliance departments. CFEs, with their ingrained skill sets, can consider new job directions.

Several years ago, the forensic audit team I managed in my previous job conducted multiple investigations of bribery and corruption in company offices in several European and Asian countries. We uncovered many bribe payments in exchange for additional business and increased revenues. Our team worked closely with our company’s corporate compliance department to revise corporate policies, develop training and awareness programs, and conduct proactive forensic audits to help prevent and deter further corruption within the company.

I was impressed with how corporate compliance worked closely with outside counsel and regulatory agencies to remediate the results of the investigations. The compliance team continuously consulted with the forensic audit department throughout this entire process.

We collectively reached a favorable conclusion for the company in light of the infractions. Although our groups worked independently of each other, I realized that much of the work performed by the compliance function stemmed from the involvement of the forensic audit team.

Our forensic audit team provided feedback to corporate compliance in these areas:

Investigation results.

Evaluation of the tone at the top within each country and business unit.

Employees’ knowledge of relevant company policies and procedures.

Internal control failures, which allowed the frauds to occur and remain undetected.

The compliance team used our feedback to enhance compliance programs and controls. The U.S. Department of Justice (DOJ) later deemed the program as very effective. That recognition certainly contributed to the reduced fines and penalties the U.S. government levied against the company for the multiple instances of bribery and corruption. (See sidebar at end of article.)

The DOJ also recognized the members of our forensic audit department both internally and externally for being valuable team members during this entire process. Our CFE skills contributed to the prompt and effective resolution of this case. Additionally, the company used our findings to further enhance the company’s compliance program.

I was so impressed by the success of the cooperation between the two departments, I decided in 2011 to become a director of compliance as my next position, which has been a great career move.

Before countries enacted new legislation around the globe and the DOJ reemphasized enforcement of the Foreign Corrupt Practices Act (FCPA), organizations’ general counsels (GC) were responsible for managing and administering ethics and compliance departments. However, that has changed dramatically over the past few years. Risk managers, internal auditors and fraud examiners are now becoming chief compliance officers (CCO). Yes, that’s correct. CFEs are now in great demand as CCO candidates because of their diverse fraud risk management backgrounds and interpersonal skills.

More on CFE opportunities in a bit, but first let’s delve into some background.

LAWS OF THE LAND(S)

In the last decade or so, major corporate accounting, mortgage and investment frauds plus FCPA violations have spawned numerous global laws and regulations, such as the U.S. Sarbanes-Oxley Act, the U.S. Dodd-Frank Act, the U.K. Bribery Act, various European Union initiatives and Mexico’s new anti-money laundering law. They’re designed to restore investor confidence, reduce the risk of malfeasance and ensure consequences for wrongdoers.

Organizations have developed ethics and compliance programs so they can comply with internal codes of conduct and legal and regulatory requirements and ensure their employees make ethical decisions with the highest levels of integrity.

In the past few years, many large companies, such as Pfizer and Tyco International, violated the FCPA or other laws, but they received lower fines and penalties than if they hadn’t had effective compliance programs. This isn’t a good reason to develop compliance measures, but it can be a mitigating factor.

WHAT DOES THE CCO DO?

A CCO’s role often includes but isn’t limited to:

Developing and overseeing implementation of corporate-wide compliance strategy program consistent with the mission, vision and values of the organization.

Conducting investigations of allegations of fraud and/or misconduct.

Providing compliance and risk guidance to senior management including consultation with business leaders.

Overseeing and coordinating development of compliance policies and procedures including the organization’s code of conduct.

Ensuring that appropriate compliance policies and procedures are adopted, published and explained to employees and agents.

The creation of an effective compliance program is often dependent upon the creativity of the CCO role, support from senior leadership and assignment of sufficient resources to the function. A best-in-class compliance program requires all of the above. According to FCPAJobs, an effective CCO often demonstrates:

Knowledge of relevant laws and regulations and experience advising organizations on legal and regulatory matters, along with expertise in best practices for legal compliance programs.

Leadership in working within an organization to implement and maintain a comprehensive program designed to ensure regulatory compliance.

Ability to communicate complex issues clearly and concisely, with excellent verbal and written communication skills.

Ability to build strong, credible working relationships cross-functionally, including well-developed interpersonal skills and ability to gain support of and positively influence others’ behavior.

Ability to communicate and interface with regulators and other third parties, and diverse audiences at all levels of the organization.

Solid independent thinking and decision-making ability, along with the ability to discern and understand multiple viewpoints.

COMPONENTS OF A SOLID COMPLIANCE PROGRAM

To administer an effective compliance program, an organization must establish and maintain an organizational culture that “encourages ethical conduct and a commitment to compliance with the law.” (See the 2011 Federal Sentencing Guidelines Manual, “Effective Compliance and Ethics Program.”)

Tom Fox, an attorney and well-known expert on the FCPA, authored a blog in January 2013, in which he discussed the 10 “Hallmarks of Effective Compliance Programs” from the November 2012 Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, “A Resource Guide to the U.S. Foreign Corrupt Practices Act.”

Fox lists the 10 points and writes that the resource guide makes it clear that the points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess.” In other words, you should pay attention to these points to assess your own compliance regime:

Commitment from Senior Management and a Clearly Articulated Policy against Corruption.

Code of Conduct and Compliance Policies and Procedures.

Oversight, Autonomy and Resources.

Risk Assessment.

Training and Continuing Advice.

Incentives and Disciplinary Measures.

Third-Party Due Diligence and Payments.

Confidential Reporting and Internal Investigation.

Continuous Improvement: Periodic Testing and Review.

Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration.

JOB CUSTOM-MADE FOR CFES

The administration of an effective compliance program essentially involves these components:

Establish comprehensive written policies and procedures that implement the code of conduct and that address the specific risk areas you’ve identified.

Conduct effective training programs and otherwise disseminate information about the compliance program to officers and employees.

Establish and publicize a system for reporting violations.

Promptly and carefully investigate any reports of suspected misconduct and take corrective action if appropriate.

Fraud examiners are well equipped to manage these programs because of their educational backgrounds, knowledge, skill sets and experience. CFEs are experts at fraud risk management, which includes the development and implementation of programs and controls designed to deter, detect and remediate fraud and misconduct. A compliance program contains the same elements but includes a much-broader focus than fraud. However, CFEs are positioned to manage this broader scope.

CFEs know laws and regulations, manage and communicate complex issues, work well with senior leadership and routinely maintain strong working relationships across multiple functions within organizations.

I’ve personally investigated cases involving embezzlement, anti-trust, FCPA, intellectual property, human resources matters and accounting fraud, among others. I’ve had to keep current on laws and regulations that affect these diverse areas and work with legal counsel to resolve these issues. It’s all great training for a CFE who would like to be a CCO because compliance programs must contain programs and controls designed to reduce the risk of violating laws and regulations.

CCOs often have to manage complex cases with diplomacy, negotiation skills and courage. CFEs continually investigate and manage complex fraud and misconduct cases such as FCPA violations, material accounting frauds and allegations against senior management that often significantly disrupt businesses. Like CCOs, they have to navigate delicate issues to help ensure timely and accurate conclusions with similar skills.

Because these fraud examinations require meetings and calls with executive management, CFEs often build strong relationships with top leadership. (In my previous job, I often joked that segment presidents with problems returned my calls before they called the customers or the CEO.) I benefitted tremendously from these relationships because C-level support is critical.

I routinely depend on relationship-building skills as I construct the compliance function; without support from top management my efforts would be worthless. Also, because I worked daily in my previous position with such corporate functions as human resources, legal, IT, operations and middle management, I’m comfortable working with these departments as a CCO.

I’ve also benefited from the worldwide relationships I’ve made as a CFE. I learned the company culture, developed an understanding of the business and learned the key stakeholders. (For example, I learned that all complaints in Brazil are channeled through the vice president of operations or general counsel for that region.) My methods for doing all those things transferred to my CCO responsibilities.

You’ve probably had to develop trust among your colleagues to get the job done. The CCO role requires support and sponsorship. For example, if a CCO develops a code of conduct or a new anti-corruption policy he or she must rely upon local support. If the general counsel for a region fails to embrace the policies then you know that everyone else also will ignore it.

My time as a CCO has been extremely challenging and rewarding. My team continues to conduct investigations in response to allegations of fraud and misconduct. We present our findings to management and ensure proper resolution of each case including disciplinary actions, civil or criminal actions, and recovery of assets. However, we also spend considerable time on proactive programs and controls including policy development, training and awareness, managing the revisions of the company’s code of conduct and other awareness programs.

We’re focused on the deterrence of fraud and misconduct. Compliance, of course, means preventing misconduct. We sit at the table with employees from across the world (it’s a big table!), discuss why people make bad decisions and how we can, as a company, encourage every employee to make ethical decisions every day. And the whole time we rely heavily upon our CFE skills.

A colleague of mine is doing the same thing for a major retail company. He’s encouraged by his opportunity to work in his expanded role as a director of compliance. He worked many years investigating fraud and earned his CFE credentials along the way. “It’s very interesting to work in a more proactive role,” he says. “As fraud examiners, we’re often used to responding to allegations of fraud; however, CCOs work just as much to develop programs and controls to mitigate risk as they do responding to violations. I like the challenges this opportunity presents me.” My colleague continues to use his CFE experience to work successfully in the compliance function.

YOUR NEXT CAREER MOVE?

Compliance can be a daunting challenge, but it’s also an opportunity to establish and promote operational excellence throughout the entire organization. Companies task CCOs with improving operations and overall performance. They don’t achieve these objectives through increased sales or product development but with the ability to manage risks that negatively impact the companies’ operational, strategic and financial objectives. This is a very difficult responsibility, but it provides excellent career opportunities.

The massive corporate frauds of the late 1990s and early 2000s spawned the need for individuals with fraud examination skills. An army of CFEs is positioned to manage these risks. Now’s the time to consider becoming the next CCO.

Implementing an effective compliance and ethics program under the U.S. corporate sentencing guidelines

The United States Sentencing Commission (USCC) began a study of sanctions for corporate wrongdoing in 1988. After three years of study and hearings, on May 1, 1991, the USSC submitted its “Proposed Guidelines for Sentencing Organizations” to Congress. The introductory commentary to the guidelines clearly states that they’re designed to provide incentives for organizations to maintain internal mechanisms for preventing, detecting and reporting criminal conduct. Among other things, the guidelines suggest a substantial reduction of fines for organizations that have effective compliance programs.

The USSC promulgated modifications to the existing provisions of Chapter 8 dealing with effective compliance and ethics programs for business organizations that became effective Nov. 1, 2004. These provisions (contained in Section 8B2.1) narrowly tailor the criteria for compliance and ethics programs, thereby providing organizations with guidance in establishing and maintaining effective programs for detecting and preventing internal illegal activities, as well as mitigating sentencing culpability.

Under the guidelines, if a convicted organization has an effective compliance program in place at the time of the offense, the sentencing judge will consider the organization’s act of due diligence in trying to prevent the illegality when deciding whether to increase or mitigate the sentence. The guidelines define effective compliance program as one that’s reasonably designed, implemented and enforced so that generally it will be effective in preventing and detecting criminal conduct.

In April 2010, however, the USSC modified the sentencing guidelines for organizations, especially as they relate to compliance programs. The most significant change under the modified sentencing guidelines for organizations concerns the sentence-reduction credit for having an effective compliance program. Before the guidelines were modified, organizations were disqualified from receiving a reduction in sentencing for maintaining an effective compliance program if a “high-level person” was involved with the fraudulent activity. Under the modified guidelines, however, involvement of a high-level person is no longer an automatic bar from effective compliance program credit, but the amendments impose several conditions to receive a reduction under these circumstances, including a direct reporting requirement to the governing authority (board or audit committee). The changes became effective Nov. 1, 2010.

As provided by the guidelines, to have an “effective compliance and ethics program,” the organization shall:

Exercise due diligence to prevent and detect criminal conduct.

Otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

The guidelines require that such a compliance and ethics program be reasonably designed, implemented and enforced so that it’s generally effective in preventing and detecting criminal conduct. However, this section further provides that the failure to prevent or detect the offense in question doesn’t necessarily mean that the program is ineffective.

In designing such a program, each organization must consider certain factors:

Applicable industry size and practice. An organization’s failure to incorporate and follow industry practice or the standards called for by any applicable government regulation weighs against a finding that the program is effective.

Size of the organization. Large organizations are expected to devote more formal operations and greater resources to meeting the requirements than small organizations. For example, smaller organizations may use available personnel rather than employ separate staff to carry out ethics and compliance.

Recurrence of similar misconduct. The recurrence of a similar event creates doubt as to whether the organization took reasonable steps to meet the requirements.

Source: ACFE Fraud Examiners Manual, 2013 U.S. Edition, 4.608 – 9. See the section for more information on compliance programs.

Read more insight and discuss this article in the ACFE's LinkedIn group.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.